Privacy notice

ALPHA DRAFT — pending legal review

This notice describes how Railflows ("we") collects, uses and stores personal data and business information when buyers and providers use the Railflows RFQ workspace. It is an Alpha draft and will be reviewed by legal counsel before general release.

Who we are

Railflows is operated from Sweden. Contact for data questions: privacy@railflows.com.

What we collect

Account data

  • Email address (required for sign-in)
  • User name, organization name, website (provided during onboarding)
  • Sign-in timestamps, IP address and user-agent (for security)

RFQ data (buyers)

  • Company type, use case, customer type, regulated status
  • Volume and ticket bands, payment types, settlement requirement, timeline
  • Corridors (source/destination country and currency)
  • Risk and onboarding profile responses
  • Free-text pain-point and flow-of-funds descriptions
  • Contact name, contact email and optional phone for the RFQ
  • Uploaded documents (private by default)

Provider profile data

  • Provider type, regulatory status, licences
  • Supported regions, countries, currencies, payment types, settlement models
  • Minimum monthly volume, prefunding, credit availability
  • Risk appetite, customer segments accepted / excluded, jurisdictional limits
  • Stablecoin capabilities (where applicable)
  • Indicative response terms when a provider responds to an RFQ

Activity data

  • Audit log of sensitive actions (sign-in, approval, matching, reveal, comparison release, outcome)
  • Email delivery records
  • Buyer and provider feedback ratings + notes

What we do with it

  • Run the platform. Process accounts, RFQs, matching, responses, reveals and comparisons.
  • Curate matches. Admins read the data above to decide which providers should see which RFQs.
  • Build anonymized intelligence. Aggregated and de-identified patterns (e.g. "X% of providers covering SE→NG quote settlement within T+1") may inform market commentary and future Railflows products. Anonymized intelligence never includes buyer identity, contact information, or uploaded documents.
  • Support and security. Investigate abuse, debug issues, comply with legal requests.

Who can see what

  • Providers see only the admin-curated anonymized RFQ summary unless and until the buyer approves a reveal request.
  • Buyers see their own RFQs, the released comparison output and feedback they have submitted.
  • Railflows admin staff see all RFQs and provider profiles in order to operate the marketplace.
  • We do not sell personal data.

Retention

Account, RFQ and audit data are retained for the duration of the account plus 24 months for accounting and dispute purposes, then deleted or anonymized. Magic-link tokens are deleted on first use or expiry, whichever comes first. Aggregate, de-identified intelligence may be retained indefinitely.

Your rights

Subject to applicable data protection law (incl. GDPR for EU/EEA users), you can request access to your personal data, correction, deletion, restriction or portability by emailing privacy@railflows.com. You can also lodge a complaint with your local supervisory authority.

Subprocessors

  • Cloudflare — hosting, database (D1), object storage (R2). EU/EEA region.
  • Resend — transactional email delivery.

Changes

We'll update this notice on this page and email account holders if changes are material.

Last updated alongside the Alpha launch.